Forum Discussion
kazeem_yusuf1
Nimbostratus
NimbostratusAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community,
I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...
Stan_PIRON_F5
Employee
Employeewhen CLIENTSSL_HANDSHAKE {
if { [SSL::extensions exists -type 17516] } then {
set tls_extension [SSL::extensions -type 17516]
} else {
set tls_extension ""
}
}
when SERVERSSL_CLIENTHELLO_SEND {
if { $tls_sni_extension ne "" } then {
SSL::extensions insert $tls_extension
}
}this code is a copy of this code with your extension type
https://devcentral.f5.com/s/articles/client-side-to-server-side-sni-relay-irule-967
Stan_PIRON_F5Employee
EmployeeSo the last version is working to:
- extract and remove attribute 17516 from client side CLIENT_HELLO before BigIP TLS catches the packet (to make the packet RFC compliant because the incoming packet was not)
- insert in on server side CLIENT_HELLO with full TLS RFC compliance
The previous rule was doing the same, the only change I made was to convert signed integer to unsigned, which may not solve the issue but prevent infinite loop if a malformed packet was sent.
